summaryrefslogtreecommitdiffstats
path: root/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0016-Smack-Prevent-the-and-labels-from-being-used-in-SMAC.patch
diff options
context:
space:
mode:
authorYannick GICQUEL <yannick.gicquel@iot.bzh>2015-10-19 15:57:07 +0200
committerGerrit Code Review <gerrit@172.30.200.200>2015-11-06 15:23:36 +0000
commitede19ea0c47fb23f3fc779833d1e57cf76f3371e (patch)
tree47d6fae2283c54def1871aaf2a73828ac68b1b34 /meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0016-Smack-Prevent-the-and-labels-from-being-used-in-SMAC.patch
parent1cd8ab18abca96e4ee108f80225058d875b28347 (diff)
kernel: smack security backport from kernel 4
Here is the backport of all patches relating to smack support on kernel side. For more details, see file: meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/README Please note that patches are applied only if "smack" is in the ditro features. Here are the 2 lines to add in the local.conf OVERRIDES .= ":smack" DISTRO_FEATURES_append = " smack" Change-Id: I147a3532aec531f977d6ec34c576261835711f1e Signed-off-by: Yannick GICQUEL <yannick.gicquel@iot.bzh> Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Diffstat (limited to 'meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0016-Smack-Prevent-the-and-labels-from-being-used-in-SMAC.patch')
-rw-r--r--meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0016-Smack-Prevent-the-and-labels-from-being-used-in-SMAC.patch104
1 files changed, 104 insertions, 0 deletions
diff --git a/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0016-Smack-Prevent-the-and-labels-from-being-used-in-SMAC.patch b/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0016-Smack-Prevent-the-and-labels-from-being-used-in-SMAC.patch
new file mode 100644
index 0000000..43e9fc7
--- /dev/null
+++ b/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0016-Smack-Prevent-the-and-labels-from-being-used-in-SMAC.patch
@@ -0,0 +1,104 @@
+From 7e4d45e539473706108e6b77dd9c7a6d70a40ffb Mon Sep 17 00:00:00 2001
+From: Casey Schaufler <casey@schaufler-ca.com>
+Date: Mon, 16 Dec 2013 16:27:26 -0800
+Subject: [PATCH 16/54] Smack: Prevent the * and @ labels from being used in
+ SMACK64EXEC
+
+Smack prohibits processes from using the star ("*") and web ("@") labels
+because we don't want files with those labels getting created implicitly.
+All setting of those labels should be done explicitly. The trouble is that
+there is no check for these labels in the processing of SMACK64EXEC. That
+is repaired.
+
+Targeted for git://git.gitorious.org/smack-next/kernel.git
+
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+---
+ security/smack/smack_lsm.c | 53 ++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 37 insertions(+), 16 deletions(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index b0be893..62ebf4f 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -837,31 +837,43 @@ static int smack_inode_setxattr(struct dentry *dentry, const char *name,
+ const void *value, size_t size, int flags)
+ {
+ struct smk_audit_info ad;
++ struct smack_known *skp;
++ int check_priv = 0;
++ int check_import = 0;
++ int check_star = 0;
+ int rc = 0;
+
++ /*
++ * Check label validity here so import won't fail in post_setxattr
++ */
+ if (strcmp(name, XATTR_NAME_SMACK) == 0 ||
+ strcmp(name, XATTR_NAME_SMACKIPIN) == 0 ||
+- strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 ||
+- strcmp(name, XATTR_NAME_SMACKEXEC) == 0 ||
+- strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
+- if (!smack_privileged(CAP_MAC_ADMIN))
+- rc = -EPERM;
+- /*
+- * check label validity here so import wont fail on
+- * post_setxattr
+- */
+- if (size == 0 || size >= SMK_LONGLABEL ||
+- smk_import(value, size) == NULL)
+- rc = -EINVAL;
++ strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) {
++ check_priv = 1;
++ check_import = 1;
++ } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 ||
++ strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
++ check_priv = 1;
++ check_import = 1;
++ check_star = 1;
+ } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) {
+- if (!smack_privileged(CAP_MAC_ADMIN))
+- rc = -EPERM;
++ check_priv = 1;
+ if (size != TRANS_TRUE_SIZE ||
+ strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0)
+ rc = -EINVAL;
+ } else
+ rc = cap_inode_setxattr(dentry, name, value, size, flags);
+
++ if (check_priv && !smack_privileged(CAP_MAC_ADMIN))
++ rc = -EPERM;
++
++ if (rc == 0 && check_import) {
++ skp = smk_import_entry(value, size);
++ if (skp == NULL || (check_star &&
++ (skp == &smack_known_star || skp == &smack_known_web)))
++ rc = -EINVAL;
++ }
++
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
+ smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
+
+@@ -2847,8 +2859,17 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
+ if (rc >= 0)
+ transflag = SMK_INODE_TRANSMUTE;
+ }
+- isp->smk_task = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp);
+- isp->smk_mmap = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp);
++ /*
++ * Don't let the exec or mmap label be "*" or "@".
++ */
++ skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp);
++ if (skp == &smack_known_star || skp == &smack_known_web)
++ skp = NULL;
++ isp->smk_task = skp;
++ skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp);
++ if (skp == &smack_known_star || skp == &smack_known_web)
++ skp = NULL;
++ isp->smk_mmap = skp;
+
+ dput(dp);
+ break;
+--
+2.1.4
+